search for: allow_tcp_forward

Displaying 20 results from an estimated 27 matches for "allow_tcp_forward".

2003 Jan 29
0
[PATCH] features for restricted shell environments
...sport)) == 0) { - debug("%.100s, line %lu: Bad permitopen port <%.100s>", - file, linenum, sport); - auth_debug_add("%.100s, line %lu: " - "Bad permitopen port", file, linenum); - xfree(patterns); - goto bad_option; - } - if (options.allow_tcp_forwarding) - channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; } --- auth-pam.c 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ auth-pam.c 29 Jan 2003 20:39:19 -0000 1.2 @@ -358,7 +360,7 @@ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x1...
2004 Jan 19
3
Security suggestion concering SSH and port forwarding.
Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in
2002 Jul 25
3
[PATCH] prevent users from changing their environment
...e_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ + int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; --- servconf.c 23 Jun 2002 09:46:51 -0000 1.112 +++ servconf.c 24 Jul 2002 16:55:26 -0000 @@ -87,6 +87,7 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; + options->permit_user_env = -1; opti...
2002 Aug 13
1
[PATCH] global port forwarding restriction
...sport)) == 0) { - debug("%.100s, line %lu: Bad permitopen port <%.100s>", - file, linenum, sport); - auth_debug_add("%.100s, line %lu: " - "Bad permitopen port", file, linenum); - xfree(patterns); - goto bad_option; - } - if (options.allow_tcp_forwarding) - channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; } --- channels.c 24 Jul 2002 11:04:17 -0000 1.1.1.1 +++ channels.c 13 Aug 2002 19:17:08 -0000 @@ -96,6 +96,10 @@ /* Number of permitted host/port pairs in the array. */ static int num_permitted_opens...
2009 Oct 21
1
Patch to fix dynamic -R forwarding when not root
...his patch isn't necessary, and I did something else wrong when trying to 'ssh -R 0:localhost:22 user at remote', please let me know! --- serverloop.c.original 2009-10-21 10:45:13.000000000 +0300 +++ serverloop.c 2009-10-21 10:53:09.000000000 +0300 @@ -1119,9 +1119,9 @@ if (!options.allow_tcp_forwarding || no_port_forwarding_flag || (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT - || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) + || (listen_port !=0 && listen_port < IPPORT_RESERVED && pw->pw_uid !=...
2001 Mar 02
0
Patch for system-wide default environment
...08:27 2001 --- openssh-2.5.1p1-1/servconf.c Thu Mar 1 15:45:03 2001 *************** *** 81,86 **** --- 81,87 ---- options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; + options->sys_environment_file = NULL; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; *************** *** 210,216 **** sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile...
2001 Mar 14
1
/etc/default/login patch?
Would anybody happen to have or know of a patch to make /etc/default/login PATH and SUPATH the default openssh path? We have customized paths for each school of engineering (each have their own customized site bin). This is easily controled with /etc/default/login. The --with-default-path option is too rigid. This is Solaris I am talking about. --mike
2002 Jul 04
1
[PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT
...RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.102 diff -u -p -r1.102 serverloop.c --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 +++ serverloop.c 4 Jul 2002 09:13:34 -0000 @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; pac...
2002 May 29
2
[PATCH] Add config option disabling drop_connection() behavior
...@@ options->protocol = SSH_PROTO_UNKNOWN; options->gateway_ports = -1; options->num_subsystems = 0; + options->check_max_startups = -1; options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; @@ -228,6 +229,8 @@ options->allow_tcp_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; + if (options->check_max_startups == -1) + options->check_max_startups = 1; if (options->max_startups == -1) options->max_startups = 10; if (options->max_startups_rate == -1) @@ -281,7 +28...
2017 May 04
5
OpenSSH contract development / patch
On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it
2006 Mar 29
7
sshd config parser
Hi All. For various reasons, we're currently looking at extending (or even overhauling) the config parser used for sshd_config. Right now the syntax I'm looking at is a cumulative "Match" keyword that matches when all of the specified criteria are met. This would be similar the the Host directive used in ssh_config, although it's still limiting (eg you can't easily
2001 Nov 12
4
Please test -current
Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)
2001 Dec 05
1
permitopen for -R connections?
...sory glance through the code and I fail to see any functions in channels.c that are intended for setting up the reverse forwarded connections. I assume I will have to add a new check function in: serverloop.c:server_input_global_request at: /* check permissions */ if (!options.allow_tcp_forwarding || no_port_forwarding_flag || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { success = 0; packet_send_debug("Server has disabled port forwarding." I assumed I could implement a...
2005 Jan 20
0
AllowUsers - proposal for useful variations on the theme
...:11:54.385791373 +0000 @@ -78,16 +78,17 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; + options->num_allow_users_fixedname = 0; options->num_deny_users = 0; options->num_allow_groups = 0; options->num_deny_groups = 0; options->ciphers = NULL; options->macs = NULL; options->protocol = SSH_PROTO_UNKNOWN; op...
2016 May 03
3
StreamLocal forwarding
...lbindmask 0177 > allowstreamlocalforwarding yes oh, that's a bug in the config dump support. diff --git a/servconf.c b/servconf.c index 6111c5a..2094c48 100644 --- a/servconf.c +++ b/servconf.c @@ -2293,6 +2293,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep)...
2001 Nov 20
3
problem with AFS token forwarding
Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for
2001 Oct 24
2
disable features
...+++ auth-options.c 22 Oct 2001 18:26:52 -0000 @@ -53,7 +53,9 @@ xfree(forced_command); forced_command = NULL; } +#ifdef WITH_TCPFWD channel_clear_permitted_opens(); +#endif } /* @@ -257,8 +259,10 @@ xfree(patterns); goto bad_option; } +#ifdef WITH_TCPFWD if (options.allow_tcp_forwarding) channel_add_permitted_opens(host, port); +#endif xfree(patterns); goto next_option; } Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.140 diff -u -r1.140 channels.c --- channe...
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
...15 02:15:05 2002 @@ -88,6 +88,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; + options->tis_via_pam = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -249,7 +250,7 @@ #ifdef AFS sAFSTokenPassing, #endif - sChallengeResponseAuthentication, + sChallengeResponseAuthentication, sTISviaPAM, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11Displa...
2009 Feb 17
2
Idea: reverse socks proxy
Hi, Just a usecase that I'm sure has been covered before but just in case its not an openssh solution would be very helpful. I was trying to install software on a server that was firewalled so no outbound http connections would work. I was also tunnelling via another server. Outbound ssh connections also were a convenient option. What would have been nice would be a remote version of